4 replies to this topic

[IOn Photoshop]

This is a quick tutorial on how to encrypt passwords using PHP. There are a couple different functions you can use and you can also make them more secure by using a Salt. So first off I will start by showing you the basic functions to encrypt.

Basic Example 1

$pass = "lol";

$pass = md5($pass); // Will put out a 32 character hash, many sites can attempt to break this by running it through rainbow tables.

Basic Example 2

$pass = "lol";

$pass = sha1($pass); // Will put out a 40 character hash, a bit more secure but you can still do more!

Better Example 1

$salt = '1A#d';

$pass = "lol";

$pass = sha1("$pass" . "$salt") // Will make the password lol1A#d and then encrypt making it much harder to find a collision.

Better Example 2

$salt = '1A#d';

$pass = "lol";

$pass = sha1(str_rot13("$pass" . "$salt")); // Will run the actual password through rotate13 algorithm before encrypting. Basically shifting each letter(only letters nothing else) by 13 positions and then encrypting.

Hopefully this will help some people to secure their scripts a little bit, if I missed something or maybe made a mistake please let me know. =)

Edited by IOn Photoshop, 01 January 2012 - 10:24 AM.

[Alexander]

Hello IOn Photoshop,

A common misconception is that cryptographic hashing functions should be called "encryption". The term developed circa ~WWI is essentially "to make cryptic, encode, or to make coded based on a cipher)"

These functions will do "hashing" (chopping and mixing), or in other words map a larger data set to a smaller one as a sum or index. If you stored the length of passwords as a silly hashing method, how do you get "bob" from "3"? That would not make for a good encryption.

Review:

Quote

// Will make the password lol1A#d and then encrypt making it much harder to find a collision.

Assuming you mean sum and not passphrase collision; A 10GB file should have no more or less potential of collision than a small phrase. If this were not the case the cryptographic hash would not be chosen for a more official standing.

Quote

// Will run the actual password through rotate13 algorithm before encrypting.

If order of characters are rendered irrelevant due to the salting, length or added characters, this would only confuse code.

In all ends:
I would mention md5() so people know what it is and say not to use it (it can be broken in seconds or computed with a garden variety GPU). SHA-1 is a nice replacement, however the sha-2 family (SHA256, 512, ...) can be seen as more secure with a salt as they produce larger sums.

Salting should be done per user, and random, possibly stored along with each user's password. If one salt is found and used (they have the database) they all aren't and re-computation will have to be done every time.

Further down the road..
A hash based message authentication code scheme (HMAC) requires a key to be compromised that is hopefully not in the database. It is also "very slow", possibly preventing exhaustive lookup entirely! You could as well stretch or derive a secure password out of a user supplied password, a faithful example is with PBKDF2.

A large (less collision/efficiency prone) hashing function that is well tested with a salt, is probably the best call for most websites.

Alexander.

Edited by Alexander, 01 January 2012 - 04:43 PM.

[RhetoricalRuvim]

I hope you don't mind me asking, but would combinations of operations per character of data for each character in the encryption key make for a secure encryption/decryption algorithm?

[Alexander]

RhetoricalRuvim said:

I hope you don't mind me asking, but would combinations of operations per character of data for each character in the encryption key make for a secure encryption/decryption algorithm?

It would be the same as any other cipher. A lot of ciphers often do more than one operation per byte. Key wise, it may be less relevant as keys are random enough already.

[RhetoricalRuvim]

I recently wrote some code that encrypts and decrypts data. The size of the encrypted data is equal to the size of the decrypted data; the functions I made only use ROR, ADD, ROL, and SUB (even though these are mnemonics for Intel assembly language, I did write the functions in JavaScript). The algorithms I wrote operate on the character codes of the data and the key.